Seriously change the password and make sure the email is correct as well.

Yep - changed password as soon as I could.

Email address was still correct, so not sure what they were able to achieve. They certainly got access to some of my account details and supposedly changed the name on the account, and they purchased and downloaded a game.

Unfortunately they've disabled my account as part of this, so I need to work out what to do next, but they've said they are refunding the amount that was spent even thought it is an exception to the iTunes Store Terms and Conditions, which state that all sales are final. (their words)

Full response below

Dear Craig,

Thank you for contacting the iTunes Store Customer Support. This is Riyaz here.

I understand that you are reporting unauthorized purchases in your account "XXXX". I know the might be upsetting for you

To prevent further purchasing, I have disabled your account.

We have issued a refund for the items purchased without your permission. The decision to refund these items was made after a careful review of your case. Please note that this is an exception to the iTunes Store Terms and Conditions, which state that all sales are final. You will see 24.99 NZD added to your store credit balance within 24 hours. You may need to sign out of the iTunes Store and then sign back in before you see the credit in your account.

The security of your account is important to Apple. If you would like to enable your account, we will manually reset the password for you and include helpful information for when you reset the password again yourself. It is recommended that you reset the password even if you wish to leave your account disabled.

If you would like to request that your iTunes Store account be enabled, please reply to this email.

To increase the security of your account I highly recommend that you follow the suggestions outlined in this article:

So it looks like these little w@nk5r$ used the stolen details to download a free game from iTunes and to then make an in game purchase of $24.99. Great security Apple! And even better security FBI - why were the FBI in possession of my account details in the first place!?????????

If you have an iTunes account go to it right away and change your password!

Er, how did they gain access your Apple account exactly? That hack released the Apple iPhone UDID list. Not your password or any other personal information.

"As proof, the hackers released a stripped-down version of that file that only contained 1 million UDIDs, with associated Apple Push Notification Service tokens and device names. The other personal data that accompanied many of the UDIDs was intentionally removed, the hackers said."

I strongly believe this hack and your account compromise are completely unrelated.

Just be aware that the "helpful information for when you reset the password again yourself" is some of those retarded easy to socially engineer "secret" questions that many people found their iDevices demanding randomly a while ago after a password change.

So either enter gibberish in them and record them down like you would a password or tell apple they have no business demanding that personal information about you and refuse to give it to them.

I know that if you call apple support and abuse them about your iPad suddenly wanting personal information that you never were told you would have to provide when you bought it they have some way of bypassing it on their end allowing you to purchase again on the iPad.

keewee01: So it looks like these little w@nk5r$ used the stolen details to download a free game from iTunes and to then make an in game purchase of $24.99. Great security Apple! And even better security FBI - why were the FBI in possession of my account details in the first place!?????????

If you have an iTunes account go to it right away and change your password!

You have to wonder why that letter from itunes states their terms and conditions clause

Please note that this is an exception to the iTunes Store Terms and Conditions, which state that all sales are final.

That would imply that this is an exception and they don't usually refund when there has been fraudulent use on the account? Of cause they would, or there would be a credit card charge back. I just don't understand why they needed to mention that clause.

Perhaps actually check the file to see if your details were in it? Most likely they weren't and the incidents are unconnected. Even if your details were in there (unlikely) it's not enough detail to compromise your account. This is the entirety of a line of the file (with some x's whacked in there):

mattwnz: I just don't understand why they needed to mention that clause.

I guess it's some legal policy where they need to tell you that they're breaking the agreement that you "signed". I'm sure people would be upset if Apple went in the other direction and broke the agreement in a way that negatively affects the customer.